From d30c94afe4e67298b3da6fd839e0210844cf45a5 Mon Sep 17 00:00:00 2001 From: Matus Fabian Date: Thu, 1 Mar 2018 04:48:33 -0800 Subject: NAT44: interface output feature and service host direct access (VPP-1176) forwarding mode: session initiaded from service host - translate session initiaded from remote host - do not translate Change-Id: I48170ee8e4ad14d3d3083ee31a40ef8d10d6ff32 Signed-off-by: Matus Fabian (cherry picked from commit 204591d1bd754f6086edcf8b27a95beab929a78f) --- src/plugins/nat/in2out.c | 65 ++++++++++++++++++++++++++++++++++++++++++++++-- src/plugins/nat/out2in.c | 58 +++++++++++++++++++++++++++++++++++++++--- test/test_nat.py | 44 ++++++++++++++++++++++++++++++++ 3 files changed, 161 insertions(+), 6 deletions(-) diff --git a/src/plugins/nat/in2out.c b/src/plugins/nat/in2out.c index fae930b607f..134d652feb0 100755 --- a/src/plugins/nat/in2out.c +++ b/src/plugins/nat/in2out.c @@ -464,6 +464,47 @@ icmp_get_ed_key(ip4_header_t *ip0, nat_ed_ses_key_t *p_key0) return 0; } +static inline int +nat_not_translate_output_feature_fwd (snat_main_t * sm, ip4_header_t * ip) +{ + nat_ed_ses_key_t key; + clib_bihash_kv_16_8_t kv, value; + udp_header_t *udp; + + if (!sm->forwarding_enabled) + return 0; + + if (ip->protocol == IP_PROTOCOL_ICMP) + { + if (icmp_get_ed_key (ip, &key)) + return 0; + } + else if (ip->protocol == IP_PROTOCOL_UDP || ip->protocol == IP_PROTOCOL_TCP) + { + udp = ip4_next_header(ip); + key.l_addr = ip->src_address; + key.r_addr = ip->dst_address; + key.proto = ip->protocol; + key.r_port = udp->dst_port; + key.l_port = udp->src_port; + } + else + { + key.l_addr = ip->src_address; + key.r_addr = ip->dst_address; + key.proto = ip->protocol; + key.l_port = key.r_port = 0; + } + key.fib_index = 0; + kv.key[0] = key.as_u64[0]; + kv.key[1] = key.as_u64[1]; + + if (!clib_bihash_search_16_8 (&sm->in2out_ed, &kv, &value)) + return value.value == ~0ULL; + + return 0; +} + /** * Get address and port values to be used for ICMP packet translation * and create session if needed @@ -1283,6 +1324,8 @@ snat_in2out_lb (snat_main_t *sm, if (!clib_bihash_search_16_8 (&sm->in2out_ed, &s_kv, &s_value)) { + if (s_value.value == ~0ULL) + return 0; s = pool_elt_at_index (tsm->sessions, s_value.value); } else @@ -1517,6 +1560,12 @@ snat_in2out_node_fn_inline (vlib_main_t * vm, } else { + if (is_output_feature) + { + if (PREDICT_FALSE(nat_not_translate_output_feature_fwd(sm, ip0))) + goto trace00; + } + if (PREDICT_FALSE (proto0 == ~0 || proto0 == SNAT_PROTOCOL_ICMP)) { next0 = SNAT_IN2OUT_NEXT_SLOW_PATH; @@ -1703,6 +1752,12 @@ snat_in2out_node_fn_inline (vlib_main_t * vm, } else { + if (is_output_feature) + { + if (PREDICT_FALSE(nat_not_translate_output_feature_fwd(sm, ip1))) + goto trace01; + } + if (PREDICT_FALSE (proto1 == ~0 || proto1 == SNAT_PROTOCOL_ICMP)) { next1 = SNAT_IN2OUT_NEXT_SLOW_PATH; @@ -1716,8 +1771,6 @@ snat_in2out_node_fn_inline (vlib_main_t * vm, } } - b1->flags |= VNET_BUFFER_F_IS_NATED; - key1.addr = ip1->src_address; key1.port = udp1->src_port; key1.protocol = proto1; @@ -1780,6 +1833,8 @@ snat_in2out_node_fn_inline (vlib_main_t * vm, } } + b1->flags |= VNET_BUFFER_F_IS_NATED; + old_addr1 = ip1->src_address.as_u32; ip1->src_address = s1->out2in.addr; new_addr1 = ip1->src_address.as_u32; @@ -1925,6 +1980,12 @@ snat_in2out_node_fn_inline (vlib_main_t * vm, } else { + if (is_output_feature) + { + if (PREDICT_FALSE(nat_not_translate_output_feature_fwd(sm, ip0))) + goto trace0; + } + if (PREDICT_FALSE (proto0 == ~0 || proto0 == SNAT_PROTOCOL_ICMP)) { next0 = SNAT_IN2OUT_NEXT_SLOW_PATH; diff --git a/src/plugins/nat/out2in.c b/src/plugins/nat/out2in.c index 7f500a916f0..11e39ec07a8 100755 --- a/src/plugins/nat/out2in.c +++ b/src/plugins/nat/out2in.c @@ -311,6 +311,43 @@ icmp_get_ed_key(ip4_header_t *ip0, nat_ed_ses_key_t *p_key0) return 0; } +static void +create_bypass_for_fwd(snat_main_t * sm, ip4_header_t * ip) +{ + nat_ed_ses_key_t key; + clib_bihash_kv_16_8_t kv; + udp_header_t *udp; + + if (ip->protocol == IP_PROTOCOL_ICMP) + { + if (icmp_get_ed_key (ip, &key)) + return; + } + else if (ip->protocol == IP_PROTOCOL_UDP || ip->protocol == IP_PROTOCOL_TCP) + { + udp = ip4_next_header(ip); + key.r_addr = ip->src_address; + key.l_addr = ip->dst_address; + key.proto = ip->protocol; + key.l_port = udp->dst_port; + key.r_port = udp->src_port; + } + else + { + key.r_addr = ip->src_address; + key.l_addr = ip->dst_address; + key.proto = ip->protocol; + key.l_port = key.r_port = 0; + } + key.fib_index = 0; + kv.key[0] = key.as_u64[0]; + kv.key[1] = key.as_u64[1]; + kv.value = ~0ULL; + + if (clib_bihash_add_del_16_8 (&sm->in2out_ed, &kv, 1)) + clib_warning ("in2out_ed key add failed"); +} + /** * Get address and port values to be used for ICMP packet translation * and create session if needed @@ -382,6 +419,7 @@ u32 icmp_match_out2in_slow(snat_main_t *sm, vlib_node_runtime_t *node, } else { + create_bypass_for_fwd(sm, ip0); dont_translate = 1; goto out; } @@ -1112,7 +1150,10 @@ snat_out2in_node_fn (vlib_main_t * vm, goto trace0; } else - goto trace0; + { + create_bypass_for_fwd(sm, ip0); + goto trace0; + } } /* Create session initiated by host from external network */ @@ -1275,7 +1316,10 @@ snat_out2in_node_fn (vlib_main_t * vm, goto trace1; } else - goto trace1; + { + create_bypass_for_fwd(sm, ip1); + goto trace1; + } } /* Create session initiated by host from external network */ @@ -1474,7 +1518,10 @@ snat_out2in_node_fn (vlib_main_t * vm, goto trace00; } else - goto trace00; + { + create_bypass_for_fwd(sm, ip0); + goto trace00; + } } /* Create session initiated by host from external network */ @@ -1714,7 +1761,10 @@ nat44_out2in_reass_node_fn (vlib_main_t * vm, goto trace0; } else - goto trace0; + { + create_bypass_for_fwd(sm, ip0); + goto trace0; + } } /* Create session initiated by host from external network */ diff --git a/test/test_nat.py b/test/test_nat.py index c89180609fe..f039faf84fe 100644 --- a/test/test_nat.py +++ b/test/test_nat.py @@ -2697,6 +2697,50 @@ class TestNAT44(MethodHolder): self.logger.error(ppp("Unexpected or invalid packet:"), p) raise + def test_output_feature_and_service2(self): + """ NAT44 interface output feature and service host direct access """ + self.vapi.nat44_forwarding_enable_disable(1) + self.nat44_add_address(self.nat_addr) + self.vapi.nat44_interface_add_del_output_feature(self.pg1.sw_if_index, + is_inside=0) + + # session initiaded from service host - translate + pkts = self.create_stream_in(self.pg0, self.pg1) + self.pg0.add_stream(pkts) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + capture = self.pg1.get_capture(len(pkts)) + self.verify_capture_out(capture) + + pkts = self.create_stream_out(self.pg1) + self.pg1.add_stream(pkts) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + capture = self.pg0.get_capture(len(pkts)) + self.verify_capture_in(capture, self.pg0) + + tcp_port_out = self.tcp_port_out + udp_port_out = self.udp_port_out + icmp_id_out = self.icmp_id_out + + # session initiaded from remote host - do not translate + pkts = self.create_stream_out(self.pg1, + self.pg0.remote_ip4, + use_inside_ports=True) + self.pg1.add_stream(pkts) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + capture = self.pg0.get_capture(len(pkts)) + self.verify_capture_in(capture, self.pg0) + + pkts = self.create_stream_in(self.pg0, self.pg1) + self.pg0.add_stream(pkts) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + capture = self.pg1.get_capture(len(pkts)) + self.verify_capture_out(capture, nat_ip=self.pg0.remote_ip4, + same_port=True) + def test_one_armed_nat44(self): """ One armed NAT44 """ remote_host = self.pg9.remote_hosts[0] -- cgit 1.2.3-korg